Northern New Mexico College - Campus Cyberinfrastructure Plan 1. Introduction The Information Technology (IT) Department at Northern New Mexico College (Northern or NNMC) provides services to its constituents (faculty, staff, and students) who are grouped in five colleges: Arts and Sciences, Engineering and Technology, Business, Health Science, and Education. From the transition from a community college to a four-year degree granting institution in 2004, the IT has expanded its infrastructure to accommodate the needs of the different colleges. The IT Department has established the following objectives, so that the campus infrastructure remains consistent with the institution s mission and the constituents needs: a) Enhance efficiency in the deployment and maintenance of IT infrastructure; b) Enhance teaching and research infrastructure capability for faculty and students; c) Enhance communication infrastructure for faculty, staff, and students; d) Maintain infrastructure up-to-date to keep the campus safe. 2. Strategies / Tactics (2011) To attain the above objectives, the following strategies were established: Segment the network in Virtual Local Area Networks (VLANs) to limit the collision / broadcast domains, and add scalability and security (approximately 40 VLANs currently deployed). Implement private IP addressing scheme using DHCP and NAT to improve security and simplicity for wireless and wired devices (segmented in different VLANs). Upgrade of campus network (access and core/distribution switches). Deploy fiber connections between the Vocational Education (VE) building where the IT department and telecommunications room is located (core/distribution layer), and the rest of the building across campus (access layer switches). Design and implementation of campus-wide wireless network. Replacement of traditional analog voice system to voice over IP system (ShoreTel). Implement of Storage Area Network (SAN). Implement security architecture with perimeter firewall, IPS, and VPN concentrator. Improve connectivity for specialized teaching and research labs and equipment, such as Aguila supercomputer and research servers. Consolidate hardware by migrating to the virtual environment. Test alternatives to solve identity and access management complexities. 3. NNMC CI Plan Progress to Date This section describes the implementation of the above strategies / tactics up to date. 3.1 Campus Enterprise Network General network design: the current campus enterprise network (CEN) is a hierarchical small-size network (see Fig. 1), which was upgraded in 2011 through a C2 EPSCoR grant. The CEN is attached to a regional ISP (Windstream Communications) via a Cisco 2800 Integrated Service Router (ISR). Northern gains access to the Internet and metro- and regional- networks through a 100 Mbps connection provided by the ISP. Traffic entering the CEN is forwarded to a collapsed core-distribution layer composed of five stackable Cisco 3750 layer 3 switches. The Cisco 3750 switches are interconnected using a special backplane StackWise cable that provides high-bandwidth throughput (16 Gbps) among them. The stack behaves as a single switching unit that is managed by a master switch elected from one of the member switches. The master switch automatically creates and updates all the switching and optional routing tables. A working stack can accept new members or delete old ones without service interruption.
Northern s motivation for the two-tier hierarchical network with collapsed core/distribution layers is the small-size campus community (at most, 600 people at a time on campus). The IT department is located in the Vocational Education (VE) building. The core/distribution is located in the telecommunications room in the VE building, from where 1 Gbps multi-mode fiber optics connections are deployed to access layer switches across the different buildings on campus. The access layer switches are Fig. 1. Campus Enterprise Network (CEN) Catalyst 2960 with 24 Fast Ethernet ports (100 Mbps) which provide connectivity to end devices, and two Small Form-Factor Pluggable (SFP) Gigabit ports for uplinks to the core/distribution. Switches (core/distribution and access) were upgraded and fiber connections were deployed to from the VE building to all other buildings. At the time (2011), the three newest buildings on campus (Teacher Education (TEC), Solar Energy Research Park and Academy (SP), which hosts the College of Engineering and Technology), and the new library) were also equipped (horizontal cabling, patch panels, telecommunications closet, and access switches). Northern s El Rito campus is located 30 miles north of the Española campus. El Rito gains access to the Internet via the Española campus as shown in Fig. 1. Northern s ISP (Windstream Communication) provides a Virtual Private Network (VPN) connection between the two campus using Multi-protocol Label Switching (MPLS). The point-to-point connection between El Rito and Española campuses is deployed through the ISP network. The implemented addressing scheme uses private IPv4 addresses (classes B and C) for both wired and wireless devices. Traffic to/from wireless devices is forwarded to a particular VLAN. The different buildings are assigned different VLANs (large buildings include several VLANs, segmented in labs, offices, and halls). Wireless network: The campus-wide 802.11 wireless network was deployed in 2011, as part of the state C2 EPSCoR project. A complete survey of the campus was performed, and as a result of it, the IT department deployed the following equipment on campus (Northern has no residential dorms): 49 indoor access points: 35 Cisco AP1142N and 14 Cisco AP1131G; 4 outdoors access points: Cisco AP1310G; 1 wireless controller WLC-2504. The campus has full wireless connectivity and in many labs and classrooms, wireless is the primary connection type. The wireless network operates in the 2.4 GHz frequency band. While there exists overlap in the area covered by many adjacent access points, the deployment minimizes the interference by tuning those access points to non-overlapping channels in that frequency band. Cybersecurity: in 2012, the perimeter security was upgraded with the deployment of a Sonic NSA E6500 firewall which also acts as VPN concentrator and Intrusion Prevention System (IPS). The Sonic firewall is the main network security appliance deployed on the campus network. End devices such as
servers and desktop computers located in offices and laboratories are protected with host-based antiviruses. 3.2 Aguila Supercomputer The IT Department relocated the Aguila Supercomputer to the High Tech building in 2013 to be physically located in the same building as the Mathematics laboratory. The computer is connected to the CEN via 1 Gbps connection to the core/distribution (although end devices are connected via Fast Ethernet ports). Faculty and students have access to Aguila through laboratory rooms. An Aguila node (composed of 12 cores) is connected to the rest of the nodes through Infiniband. 3.3 Data Storage and Servers The IT department deployed a Storage Area Network (SAN) in 2013. The SAN has a storage capacity of approximately 50 Terabytes (TBs). Northern s SAN is a dedicated network that provides access to staff and faculty to consolidated data. Currently, the SAN is primarily used by staff (e.g., HR, administrators) and the library. In 2014, the IT infrastructure at Northern was migrated to a virtual environment. The virtual environment is based on VMWare ESXi which hosts both Windows 2008 R2 and Red Hat Linux servers. Applications provided to faculty and staff on virtual and physical servers include Banner, Sharepoint, Wordpress, Booklog (bookstore serves), and other critical applications. Banner is the Enterprise Resource Planning (ERP) software used on campus for finance, student degree audits, human resources, student self-service, Blackboard, and E-learning integration. The migration reduced the number of physical servers needed to support the more than 50+ applications and therefore reduced financial required resources (e.g., electricity, air conditioning). 3.4 Applications IT has recently (February 2015) acquired licenses to provide Microsoft Office 365 (Excel, Word, Access, and Powerpoint) to its students, faculty, and staff. Other specialized applications include Adobe Creative Suite, SolidWorks, Touchnet, and enterprise license for Google Apps. 3.5 Campus Phone System In 2013, Northern upgraded its phone system from a traditional analog to a voice over IP system. The entire campus (more than 500 phones installed in offices, laboratories, administration, student centers, and athletic facilities) migrated to an on-premises IP PBX ShoreTel system, which added efficiency and reduced cost by using the same IP network as regular data. 3.6 Infrastructure to Support Campus Security The IT department supports the infrastructure used to record surveillance video. Data from the 100 Avigilon high-resolution IP cameras deployed through campus on 2014 is transferred from camera locations to core-distribution switches through fiber optics connections reserve for them. Thus, surveillance video traffic is not aggregated at access layer with regular data traffic. Surveillance video traffic is isolated on its own VLAN. The application layer protocol used by Avigilion is H.264 which uses TCP services. 3.7 Identity and Access Management Northern s IT has an identity and access management system based on Microsoft security applications. The identity and access management system provides the following features: Person Registry: this is integrated with the ERP (Banner) system adopted at Northern. Directory Information Provisioners: directory information is provisioned to AD and LDAP. 3.8 Teaching Support and Training
To enhance teaching capability, the college has adopted the Blackboard platform as its learning management system (LMS) in 2008. Distance learning capability is used to offer at least 120 courses per semester (online, hybrid, and enhanced face-to-face courses). In the last five years, the college had a growth of more than 70% in the number of courses enriched with distance learning. In 2012, the IT Department designed and implemented multiple classrooms endowed with recording capability (lectures, seminars, lab activities). Faculty and researcher can live stream content which is stored in a purposed built-in content server. Starting on the Fall 2015, Northern will acquire the add-on Blackboard feature Collaborate, which is an online collaboration tool used to create virtual classrooms, meeting, and research space. The Center for Distance Learning utilizes Blackboard training seminars for university instructors. The seminars purpose is to improve current and projected online course offerings utilizing IT infrastructure, and to align its use to Quality Matters Course Standards Rubric. 4. Remaining Strategies / Tactics (2015) Design and implementation of a Science DMZ. Implement a campus network monitoring system. Upgrade the perimeter security, addressing BCP 38. Expand storage capacity with a new SAN. Deployment of dual stack IPv4 and IPv6. Study the feasibility of using InCommon identity management services. Upgrade connectivity to ABQG. 5. NNMC CI Plan (2015 2017) This section describes the plan to implement the above remaining strategies / tactics. 5.1 Design and Implementation of a Science DMZ While the original CEN design is still viable for regular campus traffic, since the inception of the Bachelor s of Engineering, Biology, and Environmental Science degrees in 2008, the research projects the new faculty are involved in (as described in Section 2 of the Project Description) require an enhanced throughput capacity, beyond the Fast Ethernet rate (100 Mbps) currently available for end devices attached to the CEN. The dedicated research network is shown in Fig. 2. It will provide 10 Gbps connectivity to five access locations: datacenter, which will host the new DTNs to be used by researchers across campus; networking / engineering lab; two science labs; and Aguila supercomputer. These five locations have been identifying as critical for their STEM research and teaching needs. The new border router (BR) will replace the current border router and will be capable of aggregating at least 40 Gbps, to replace the current 100 Mbps BR. UNM is supporting Northern in the technical design of the Science DMZ and in the improvement of the CEN. UNM will continue the support in the eventual deployment of the Science DMZ. 5.2 Implement a Campus Network Monitoring System Fig. 2. Proposed Science DMZ. A monitoring system will be implemented to measure network performance and traffic across campus.
The tools to be deployed are: Syslog, Netflow, and perfsonar (currently, there are two perfsonar measurement points on campus). The first two will be used for recording and notification of events in the network (they can be centralized, as devices report to the central monitoring device); more perfsonar nodes will be deployed to quantify intra-campus performance of traffic flows between DTNs, storage nodes, and labs, and to quantify end-to-end flow performance between Northern s Española campus and partnering institutions such as UNM. 5.3 Upgrade the Perimeter Security, Addressing BCP 38 In lieu of the "BCP 38" packet filtering approach, Northern plans to extend its spoofing prevention with other IP mechanisms. Additional filters will be added to the Intrusion Prevention System to specifically block spoofed IP traffic. These filters are: 0051: IP: Source IP address Spoofed (Impossible Packet). 0052: IP: Source IP Address Spoofed (Loopback). 0053: IP: Source IP Address Spoofed (IANA Reserved). 0054: IP: Source IP Address Spoofed (Multicast). 00558: IP: Invalid IP Traffic (Destination IP Address set to Loopback). 5.4 Expand Storage Capacity with a New SAN Because of the new type of research mostly from the science and engineering units, IT has recently allocated storage capacity to faculty members in those units. As a result of the increasing demand from research activities in science and engineering, IT is planning to deploy an additional SAN with the storage capacity of 100 TBs, primary for redundancy, via EPSCoR funds. 5.5 Deployment of Dual Stack IPv4 and IPv6 The current CEN network infrastructure (see Fig. 1) supports dual stack. The border router, core/distribution and access layer switches have both IPv4 and IPv6 stacks (all end devices also support both IPv4 and IPv6). Northern dual stack addressing strategy includes an IPv6 addressing scheme without interfering with the current IPv4 address scheme. This will allow for a smooth transition from the current IP base. 5.6 InCommon Identity Management Services and Upgrade Connectivity to ABQG Currently, Northern is not part of incommon federation. As a small institution that still has limited connectivity to ABQG (New Mexico s exchange point to Internet2 and to regional and national networks), the acquisition of incommon will be studied with the regional leadership institution in the state, University of New Mexico (UNM). To satisfy the needs of increasing collaboration with regional and national institutions, Northern will demand further improvement and connectivity to Internet2. The first step toward obtaining connectivity to Internet2 is the acquisition of the new border router through this CC*DNI project. The new border router will contain multiple built-in interfaces of at least 10 Gbps ports, and will support expansion slots for ports of 40 Gbps or above. The following step will be the bandwidth upgrade and connectivity from Northern s Española campus to ABQG. The prohibited high bandwidth cost and limited connectivity across the mountainous sovereign tribal lands, sparsely populated (17 people per square mile versus the national average of 87), with varying governing bodies represent challenges for the connectivity upgrade. The college is actively working with a consortium of universities and state agencies (see letters of commitment from the two largest research institutions in the state), led by UNM, to leverage costs of initial last-mile builds in the interest of the broader Española community. The consortium has planned a regional meeting and technical workshop in Española. The meeting will engage research, education, government and economic communities for the purpose of technical broadband planning, including city and county government representatives, and state legislative representatives. As a result of this, Northern expects to obtain support to increase its bandwidth connectivity to ABQG and Santa Fe to at least 1Gbps, which will permit to expand its research initiatives.